Here's how the N.W.T. gov't failed to protect your privacy in 2019
Privacy commissioner's annual report catalogues 18 errors, mistakes and the misuse of personal information
What can go wrong with personal information in the N.W.T.?
All kinds of things, according to Information and Privacy Commissioner Elaine Keenan Bengts.
Her annual report for the year 2018-2019 includes 18 case studies involving errors, mistakes and the misuse of personal information by a variety of public bodies.
The commissioner's role is to review such cases and make recommendations to prevent them in the future.
"All it takes is one mistake to create huge repercussions," Keenan Bengts said, citing the theft of a health department laptop and the discovery of medical records in the Fort Simpson dump as two major examples.
But there were plenty more.
Medical records used for discipline
In one case, an employee complained that the government department he worked for misused information contained in an "overly detailed" medical prognosis, obtained for the purpose of accommodation in the workplace.
The information was later used in disciplinary proceedings against the employee.
"The number one rule in privacy is you only use info for the purpose you collect it," Keenan Bengts said.
But the employer, the Department of Municipal and Community Affairs, rejected Keenan Bengt's recommendations.
Rejecting recommendations, Keenan Bengts noted, will no longer be an option once the updated Access to Information and Protection of Privacy Act comes into force and makes her recommendations legally binding.
That's due to happen in early 2020.
'Gossip and innuendo'
In another case, the privacy commissioner rebuked the N.W.T. Health and Social Services Authority for the way it handled an employee on leave for health issues. The employer made several requests for a medical prognosis to meet the duty to accommodate.
"In at least one instance, the request included statements about events in the workplace and some that had been observed outside of work," the report reads.
We live in small communities. Everyone knows everybody's business.- Elaine Keenan Bengts, N.W.T. privacy commissioner
The requests were seen by several of the employee's colleagues who had access to personnel records.
"It is a slippery slope when gossip and innuendo can be 'collected' and then used by a public body to make decisions that will affect an individual in his employment setting," the report concludes.
"Unfortunately this is not an unusual kind of situation," Keenan Bengts said. "We live in small communities. Everyone knows everybody's business."
Gossip was the subject of another case where someone sought access to their medical records and learned they had been labelled a "drug seeker" and "known narcotic abuser."
While investigating whether these labels could be fairly included in the file — they can — the privacy commissioner also noted that one entry was "more akin to gossip then medical opinion" and recommended it be removed.
Consent to collect data essential
In another case, a complainant accused the Northwest Territories Housing Corporation of posing as a potential landlord to ask a tenant's former landlord about their financial circumstances — after they had left public housing.
The housing corporation denied lying about why they were calling, but did admit to getting the information in order to determine whether the tenant had defrauded the corporation.
The privacy commissioner found the tenant had not consented to the information probe, but also found the public body was authorized to collect information as a way to prevent fraud. She recommended the corporation alter its application form to make it clear that personal information can be used "to ensure the integrity of the subsidy program."
In other words, the call is allowed, so long as the consent form the tenant originally signed is detailed enough.
Prescription drug mix-ups
The report also references a "rather alarming" amount of instances where prescription drugs are issued to the wrong person.
Keenan Bengts said she recently reviewed "seven or eight" cases where doctors issued prescriptions to someone with a same or similar name — including a case where one man, after a doctor's visit, got a prescription under his nephew's name.
[They're] trying to protect certain information from disclosure because it might be embarrassing- Elaine Keenan Bengts, N.W.T. privacy commissioner
Keenan Bengts called this "dangerous," and says doctors should be using a name and a birthdate to verify their patients' identity.
"Many of these errors are because they haven't done that second check."
Too much redaction
Keenan Bengts said the number of privacy breaches being reported by public bodies has gone up "significantly" — and that's a good thing.
"When a breach happens, they're now starting to recognize it," she said.
Fax machines used for medical records remains a problem.
"While the number of breach incidents as a result of misdirected faxes is down somewhat, this type of breach continues to occur with disturbing regularity."
She also dealt with several complaints about access to information requests, including several where public bodies were found to be too heavy-handed in redacting information ultimately released.
That finding applied to the departments of Health; Infrastructure; Education, Culture and Employment; Municipal and Community Affairs and Justice.
"It's not an exact science by any stretch," Keenan Bengts said, but noted in some cases "the public body is trying to protect certain information from disclosure because it might be embarrassing or might not reflect well on the public body."
"But that's what I'm here for. That's the whole purpose of having an independent review officer, so that when public bodies try to hide behind these exceptions, they can be called out for it."